Q1. What is the problem that you are trying to solve?
Some organizations need/want to be compliant with ISO27001 (Standards A 9.4 System and application access control) and some features are missing in passbolt.
Q2 - Who is impacted?
Organization targeting ISO27001 compliance.
Q3 - Why is it important and/or urgent?
ISO27001 compliancy will help adoption in professional environment.
Q4 - What is your proposed solution? (optional)
- User activity log on who and when accessing a privileged (root user) password of the system, mandatory comment box for reasoning.
- Fire an email alert to the resource owner(custodian).
- Passbolt Admin must have a way to define or tag what is privileged (root user), non-privileged (non-root user) and break-glass privileged account (root2 user) passwords and must have a resource owner attached to that system.
– Non-root password access approach: Current implementation of password retrieval for daily operations.
– Root password access approach: System maintenance or in general OS level root access purposes: Password cannot be retrieve or password field replaced with Request button with reasoning box can be popped. Mail alert to resource owner for approval. Once approved, the root password is retrievable as per the current design.
– Break-glass account password access approach: Emergency access to the password and mail alert to resource owner with the reasoning(pop-up box). There is no approval step instead the incident take-over by an incident management system
Q5. Community support
People can vote for this idea to show traction:
- Must have: this is critical for me to have this
- Should have: this is important for me to have this
- Could have: this could be nice to have
- Won’t have: we should not schedule this (explain why)
Admin edit: minor format edit (remy)